Hackers have stolen cryptocurrencies from at least 6,000 Coinbase customers

Receive free updates from Coinbase

We will send you a MyFT Daily Summary email gathering the latest Coinbase news every morning.

Hackers have stolen cryptocurrencies from at least 6,000 customers of the Nasdaq Coinbase-listed digital asset exchange by exploiting a flaw in its two-factor authentication system.

The news, first reported by Bleeping Computer, comes just a week after the company had to abandon plans to launch a new loan product amid threat of legal action from U.S. securities regulators. .

According to a letter sent to affected customers, which was uploaded to the California Attorney General’s website and dated Friday, the victims were targeted between March and May of this year.

Attackers needed to have prior knowledge of users’ email addresses, passwords, and phone numbers, as well as access to their inbox.

Coinbase said it was unable to determine “conclusively” how this happened, but that it was likely the result of phishing attacks or “social engineering” techniques to bring users to reveal their credentials.

He said he could not find any evidence that this information was obtained from the exchange itself and that the attackers did not breach its security infrastructure.

A flaw in Coinbase’s SMS account recovery process meant that accounts that used the service were vulnerable to attackers, who could hijack authentication messages on themselves rather than victims.

In addition to access to funds, attackers could gain access to information including personal addresses, full names, and transaction histories.

Coinbase said it “immediately” fixed the flaw, but did not disclose when it discovered the vulnerability or the hacking campaign.

“Due to the size, scope and sophistication of the campaign, we worked with a range of partners, law enforcement agencies and other stakeholders to understand the attack and develop mitigation techniques, ”the company said.

“We did not feel comfortable publicly disclosing the attack until the appropriate steps were taken to ensure that it could not be successfully repeated and would not compromise the integrity of the forces’ investigations. order. ”

Coinbase did not disclose how much was stolen in the attack, but said customers would be reimbursed for any lost funds.

A blog post posted on Monday indicated that there had been an increase in Coinbase-branded phishing messages between April and May, which had shown a higher degree of success in bypassing spam filters on some more messaging services. old. He advised using two-factor authentication methods other than SMS.

The exchange, which was listed in New York in April, was forced to make an embarrassing descent on its product Lend, which initially reportedly offered a 4% annual return to holders of its stablecoin, USD Coin.

The Securities and Exchange Commission has warned that it will sue if the product is launched and has issued subpoenas asking for more information. Coinbase chief executive Brian Armstrong accused the regulator of “sketchy behavior” before the product was put on the back burner.

The company has also come under scrutiny in recent months over its claims that the USD Coin is fully backed by US dollar reserves, despite evidence showing that the holdings also include “approved investments.” from March of last year.

Coinbase and the Circle payments group, which jointly operate USD Coin, have pledged to adopt a cash and treasury bill reserve policy by the end of September.